[GIT PULL] SELinux patches for v5.5

[Roberto Sassu]

> -----Original Message-----
> From: owner-linux-security-module at vger.kernel.org [mailto:owner-linux-
> security-module at vger.kernel.org] On Behalf Of Paul Moore
> Sent: Tuesday, December 3, 2019 3:15 AM
> To: Mimi Zohar <zohar at linux.ibm.com>
> Cc: selinux at vger.kernel.org; linux-security-module at vger.kernel.org;
> Roberto Sassu <roberto.sassu at huawei.com>; initramfs
> <initramfs at vger.kernel.org>
> Subject: Re: [GIT PULL] SELinux patches for v5.5
> 
> On December 2, 2019 9:00:35 PM Mimi Zohar <zohar at linux.ibm.com>
> wrote:
> 
> > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote:
> >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar at linux.ibm.com>
> wrote:
> >>> [Truncated Cc list, adding Roberto and the initramfs mailing list]
> >>>
> >>> Hi Paul,
> >>>
> >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote:
> >>>
> >>>> - Allow file labeling before the policy is loaded.  This should ease
> >>>> some of the burden when the policy is initially loaded (no need to
> >>>> relabel files), but it should also help enable some new system
> >>>> concepts which dynamically create the root filesystem in the initrd.
> >>>
> >>> Any chance you're planning on using Roberto's patches for including
> >>> security xattrs in the initramfs?[1]
> >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html
> >>
> >> I'm assuming you're not asking about me personally? ;)
> >
> > No, of course not.  I was wondering if "help enable some new system
> > concepts which dynamically create the root filesystem in the initrd"
> > adds SELinux labels on the root filesystem.
> 
> Once again, that is more of a distro specific question.

If recent changes allow file labeling before the SELinux policy is loaded,
I think it would help the mechanism I developed. The SELinux label,
IMA/EVM signature can be included in the ram disk (standard CPIO image),
in a special file named METADATA!!! that follows the file xattrs are applied to.

Roberto